computer programmer

Security practitioners have myriad different experiences and backgrounds that lead them to work in the field. Once inside, career trajectories vary alongside the individual pursuing that path. In other words, in security, there is no “one size fits all” for how to become an administrator, engineer, researcher, or CISO. Each individual’s skills, interests, and environment shape where she or he finds a professional “home.”

For our series “How I Became….” InfoSec Insider speaks with security professionals in various roles to learn what brought these practitioners to where they are today. In this Q&A, Matias Madou shares how he ended up in a CTO role at Secure Code Warrior, a software developer security training organization.

What was your first professional job?

When I was a PhD candidate in Ghent, I was working on static analysis for code obfuscation. For those who aren’t familiar with the process, code obfuscation is basically scrambling an application so that a human can’t easily decipher  the inner workings. As I was working on finding algorithms to scramble an app, I was also working on how to break it then bring it back to its original format. It was very interesting work.

During that period, I held two-in-industry internships as a security researcher. The internships were eye opening. At university, the work is quite theoretical. When you’re in the ‘real world,’ working for a company that is selling products to customers who need solutions to real problems, it’s quite different. You need to make something that has to work and it has to work for a lot of people. It’s no longer theoretical; you need a practical solution that fixes a large-scale market problem. Working in the industry I found that companies are really innovative—but they’re keeping a lot of the good stuff to themselves. They don’t want it to get out because it’s a competitive advantage for them. At university, you’re encouraged to publish your work, but it’s rare to find the truly innovative work that cutting-edge companies are working on to use in your research. I wanted to be part of that cutting-edge technology, so during my last internship, as I was working on finding vulnerabilities in code, I liked it so much that I decided to stay in the field.

Did you have any formal training before entering security? 

The focus of my PhD was software security, so that was my formal training. In addition, I took a week-long course at the University of Leuven called SecAppDev that provides intensive training in secure code development. It’s a great training venue and I eventually became an instructor there.

Early on, I attended conferences to learn and now through speaking at various events and our Secure Code Warrior tournaments, I hope that I am able to pass on some of that knowledge and  help others  learn about writing secure code.

During my last internship at Fortify I was told by someone, “You have to find one thing in life and be really good it.” I always keep that in mind, and continuous training helps.

What about your current role now drew you to its specialty?  

After my internships and a decade of professional software security experience, I started a company called Sensei Security. The point was to guide developers in real-time to write secure code. I was working with a small internal team of developers that shared the same passion..

Sensei Security then merged with Secure Code Warrior, where I am now. Because I’ve been in the field for a while, and was always quite technical and know the appsec space, I grew into the role. It was never my intention to become a CTO, but I had a vision for a product; I wanted to make a solution to help developers, and people seemed to like it. The job fit my experience; I pursued an idea rather than a role.

What skills would you recommend to anyone looking to become a CTO?

I don’t know—that’s an interesting question. Enjoy what you’re doing! Find good people to surround yourself with and you’ll see what happens. Focus on making something that works, not trying to attain a specific position.

Tell us something about your job that people not in that role would not expect. 

Before I started as  CTO, I would have thought the biggest part of my job was to manage our engineering team. This role has certainly been more externally facing. I am on the road quite often speaking at various conferences and meeting with prospects In this role, you have to trust and be able to depend on your developers. I am very fortunate that I have a great team and have great technical leads in place which allows me to be more externally focused.


Matias will be running a Tech Lab entitled "How to Become a Secure Code Warrior" at InfoSec World Conference in Orlando, Florida, March 19-21, 2018. Attend this session and compete for prizes and infosec glory!